Each piece of a domain’s DNS information has a digital signature attached to it. When a user enters the domain in a browser, the resolver, using keys in a similar manner to TLS/SSL, verifies the signature. If it does not match, the resolver discards the response and waits for another.

DNSSEC ensures that the information in the response you receive is the same information the registrant of the domain name wants you to receive. When a registrant registers a domain name on the Internet, they will also be able to have the domain name secured via DNSSEC. By sending in additional information to their registrar, registrants can “sign” a domain name, thus ensuring that all DNS responses are digitally signed via DNSSEC. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information the registrant wants you to receive.